This chapter is from the book

This chapter is from the book

Companies invest millions of dollars annually in their computing infrastructure on items such as networking equipment and its maintenance, workstation and server hardware and software, and security devices, among many others. Security professionals must be familiar with the latest products and understand the security implications of their use in a particular environment.

The following is a list of the exam objectives you will be covering in this chapter:

3.1 Understand security concerns and concepts of the following types of devices:

Firewalls

Routers

Switches

Wireless

Modems

RAS (Remote Access Server)

Telecom/PBX (Private Branch Exchange)

VPN (Virtual Private Network)

IDS (Intrusion Detection System)

Network Monitoring/Diagnostics

Workstations

Servers

Mobile Devices

3.2 Understand the security concerns for the following types of media:

Coaxial Cable

UTP/STP (Unshielded Twisted Pair/Shielded Twisted Pair)

Fiber Optic Cable

Removable Media

Tape

CD-R (Recordable Compact Disks)

Hard Drives

Diskettes

Flash Cards

Smart Cards

3.3 Understand the concepts behind the following kinds of security topologies:

Security Zones

DMZ (Demilitarized Zone)

Intranet

Extranet

VLANs (Virtual Local Area Network)

NAT (Network Address Translation)

Tunneling

3.4 Differentiate the following types of intrusion detection, be able to explain the concepts of each type, and understand the implementation and configuration of each kind of intrusion detection system:

Network Based

Active Detection

Passive Detection

Host Based

Active Detection

Passive Detection

Honey Pots

Incident Response

3.5 Understand the following concepts of security baselines, be able to explain what a security baseline is, and understand the implementation and configuration of each kind of intrusion detection system:

OS/NOS (Operating System/Network Operating System) Hardening

File System

Updates (Hotfixes, Service Packs, Patches)

Network Hardening

Updates (Firmware)

Configuration

Enabling and Disabling Services and Protocols

Access Control Lists

Application Hardening

Updates (Hotfixes, Service Packs, Patches)

Web Servers

Email Servers

FTP (File Transfer Protocol) Servers

DNS (Domain Name Service) Servers

NNTP (Network News Transfer Protocol) Servers

File/Print Servers

DHCP (Dynamic Host Configuration Protocol) Servers

Data Repositories

Directory Services

Databases

3.1: Understanding Device Security

Many different types of components make up the present day computer network
infrastructure. Every hardware device you incorporate into the network has its
security concerns. They include firewalls, routers, switches, modems, various
types of servers, workstations, mobile devices, and much more. You must
adequately secure each of these components because a network is only as secure
as its weakest link. The Security+ exam tests your knowledge of the security
issues of all the common network devices.

Exercise 3.1.1: Configuring a Firewall in Windows 2000

A firewall is a device designed to shield internal network components
from threats originating from the outside world. Firewalls work by capturing and
analyzing data entering the network from external points and then rejecting
undesirable types of data according to rules configured on the firewall. The
major types of firewalls are as follows:

Packet-filteringOperating at the Network layer (Layer 3) of
the Open Systems Interconnection (OSI) model, this type of firewall filters
packets based on IP addresses, ports, or protocols. This type of firewall is
frequently configured on a router.

Proxy service firewallA proxy server acts as an intermediary
between internal networks and the Internet. One type of proxy service firewall
is the circuit-level gateway, which operates at the Session layer (Layer 5) of
the OSI model and ensures that sessions established with the internal network
are legitimate. Another type is the application-level gateway, which operates at
the Application layer (Layer 7) of the OSI model and checks for which
application-layer protocols are allowed.

Stateful-inspection firewallThis type of firewall combines
the best of the other firewall technologies by using algorithms to process data
at the OSI Application layer while monitoring communication states. In this
manner, it operates at all layers of the OSI model. The Windows Firewall
included with Windows XP Service Pack 2 (SP2) and Windows Server 2003 SP1 is an
example of a stateful-inspection firewall.

Many businesses utilize some type of server or other hardware device as a
firewall. Several companies produce software firewalls that can be used to
protect single computers or small networks. In this exercise, you install and
configure ZoneAlarm, which is a software firewall that is well suited to
protecting home- or small-office computers or networks. Perform this exercise on
a computer running Windows 2000 Professional:

If you want to try out the ZoneAlarm Pro option for 14 days, choose the
Select ZoneAlarm Pro option on this window. You can purchase this program later
if you want.

Follow the instructions in the configuration wizard that next
appears.

When requested, click OK to restart your computer.

When the computer restarts, log back on as administrator. You see the
tutorial shown in Figure 3.1.

Click Next to display the Do I Need to Change the Default Firewall
Settings to Be Secure page. Note the options and then click Next again.

Note the actions performed by ZoneAlarm on each page of this wizard,
including their definition of "zones," which is simpler than that used
by Internet Explorer. When you reach the end of the wizard, click Done.

You can modify all options provided by ZoneAlarm from its control panel.
(See Figure 3.2.)

Figure
3.1 The ZoneAlarm tutorial provides information on the available options and
configuration settings that serve to protect your computer.

Figure
3.2 You can display intrusion information and configure all available
options from the various pages presented by the ZoneAlarm control panel.

Select the various pages provided from the left side of the ZoneAlarm
control panel. These pages are as follows:

OverviewAs shown in Figure 3.2, provides an overview of
the actions that ZoneAlarm has performed.

FirewallAllows you to select the security levels for the
two zones provided by ZoneAlarm.

Program ControlDetermines whether applications are able to
access the Internet.

Antivirus MonitoringDisplays the status of your antivirus
software.

E-mail ProtectionAllows you to turn on MailSafe, which is
a supplement to antivirus software that helps to protect you from email-borne
viruses.

Alerts & LogsAllows you to decide whether to display
messages on the screen when ZoneAlarm blocks an intrusion. Click Advanced to
configure logging properties.

Close the ZoneAlarm control panel when you finish exploring and
configuring the available options.

The most secure computer system is one not connected to a network. However,
isolated systems have few uses in today's environments. The reality is that
your computers will most likely be accessible from remote clients in some
manner. Be aware that every access path to your system has inherent
vulnerabilities.

This exercise directs you to uncover some of the general risks with each type
of remote access. Although each of the remote access approaches we discuss is
more secure than wide-open access, there are still vulnerabilities you must be
aware of and address.

In this exercise, you take a look at a few network access devices and
security vulnerabilities associated with each one. Let's start with
switches. Although a switch can make it harder for attackers to sniff networks
for valuable information, they can also make it easier to launch some attacks.
Next, we'll look at virtual private networks (VPNs). Although a VPN is a
method to increase connection security, careless implementation can decrease
your overall system's security. Then we'll look at modems. The modems
you know about aren't the ones that will hurt you. It's the ones you
don't know about that someone has connected to your network that will cause
problems:

Connect to the Internet and browse to
http://networking.earthweb.com/netsysm/article.php/933801.
This article by Joseph Sloan discusses security problems inherent with switches.
Although switches provide some protection from sniffing of network traffic, this
protection can be circumvented. What are three ways in which this can occur?

NOTE

If the URLs provided in this or other exercises no longer exist, simply use
your favorite search engine to locate other sites that contain information
pertinent to the topics at hand.

Continue to Sloan's second article and summarize several methods by
which you can overcome these problems in a Unix environment.

Navigate to
http://www.winnetmag.com/Articles/Index.cfm?ArticleID=8878.
This article discusses a tool named Arpredirect, which is an Address Resolution
Protocol (ARP) poisoning tool that can sniff traffic across switches. How does
this tool work? What capabilities does it provide for an intruder who uses it to
access data on your network? For more information, you might want to follow the
link provided to Dug Song's Web site, which in turn links to additional
articles related to security concerns of switched networks.

For an account of programming code that enabled hackers to launch denial
of service (DoS) attacks against Cisco routers and switches, go to
http://www.computerworld.com/securitytopics/security/story/0%2C10801%2C83820%2C00.html.
What can happen if this code is run against a router to send a series of IP
packets with a special format? What do network administrators have to do if this
happens? Describe two actions that the networking team must perform to mitigate
this vulnerability.

CAUTION

The use of switches is a good method for limiting hostile sniffing across the
LAN.

In Chapter 2, "Communication Security," you learned how to
configure RAS and VPN from a Microsoft perspective. Navigate to
http://www.ticm.com/info/insider/old/dec1997.html
for a discussion of RAS and VPN vulnerabilities. What are several
vulnerabilities inherent in these technologies? Describe how you would mitigate
each vulnerability.

Matthew Mitchell presents another view of VPN vulnerabilities at
http://www.giac.org/practical/matthew_mitchell_gsec.doc.
How does encapsulation protect the data on the VPN? We will discuss the
encryption algorithms mentioned in this article in Chapter 4, "Basics of
Cryptography." What is the limitation of VPN data encryption? How can an
unprotected network share become a vulnerability, and what are several
consequences of such vulnerabilities? How can an attacker compromise a corporate
network through computers used by telecommuters working from home and connected
by DSL or cable modems, and what consequences can occur? Summarize the
seven-step procedure outlined by Mitchell for protecting users accessing the
network by means of a VPN.

Mark Collier discusses telecom, Voice over IP (VoIP), and PBX security at
http://nwc.networkingpipeline.com/22104067.
What are several possible VoIP deployment scenarios, and how can they be
attacked? Summarize the types of vulnerabilities inherent in these devices, and
note how they include many of the types of attacks you studied in Chapter 1,
"General Security Concepts."

For more information on war dialing and how to mitigate this threat,
continue to
http://www.sans.org/rr/papers/60/471.pdf.
What are several dangers associated with dial-up connections? How does a war
dialer work, and what data can it provide? How can an intruder using a war
dialer cover up his actions? Describe some components of a policy that should be
applied to a company's dial-up users. How can a security professional test
her network's vulnerability to the threat of war dialing?

NOTE

The SANS Reading Room
(http://www.sans.org/rr) is a
good place to look for papers on many topics you need to know for the Security+
exam. The idea in the situation discussed here is to research problems
associated with allowing a secure connection to terminate on an insecure
client.

Unauthorized hardware such as modems presents another threat to the
security of the network infrastructure. Go to
http://www.cert.org/security-improvement/practices/p097.html
and summarize the reasons why unauthorized hardware can be of concern. What are
several means that you can use on a daily or monthly basis to detect
unauthorized modems and other peripherals?

Exercise 3.1.3: Windows Network Monitor

Microsoft provides several support tools that help administrators monitor
network traffic. A network monitor is a tool that sniffs data packets
being transmitted across the network and allows an individual to display and
analyze the contents of packets. This individual could be a hacker or a network
administrator who is searching for evidence of intrusion or other network
problems. Specifically, Microsoft Network Monitor provides visibility into what
types of traffic are traveling across network segments. The version of Network
Monitor depends on the version of Windows you are using. For this exercise, we
use the Network Monitor Capture Utility for Microsoft Windows 2000 Server:

NOTE

Network Monitor is available for Microsoft Systems Management Server, and the
Network Monitor Capture Utility, a command-line implementation with similar
basic capture capabilities, is available for Windows XP Professional. To make
this exercise available to the largest number of installations, we use the
Network Monitor Capture Utility for Windows 2000 Server.

In this exercise, you will install Network Monitor. You will also install
Dynamic Host Configuration Protocol (DHCP) so that you can capture packets from
the four-step DHCP process occurring at a client computer seeking TCP/IP
configuration. You will use two computers, one running Windows 2000 Server and
the other running Windows 2000 Professional or Windows XP Professional. Steps on
a computer running Windows Server 2003 are similar:

Scroll this window, watching the columns labeled Protocol and
Description. You should be able to locate packets for the DHCP protocol with
descriptions labeled Discover, Offer, Request, and ACK (as shown in Figure 3.4).
They represent the four steps of the DHCP process and show how you can use
Network Monitor to capture and analyze data on the network.

NOTE

After you capture a file of network traffic, you need the complete Network
Monitor tool to view its contents. This tool is available on Microsoft Systems
Management Server.

Consult the Windows Support Tools help file for a complete description of the
Network Monitor Capture Utility.

Figure
3.4 Network Monitor provides information on the contents of frames captured
from the network adapter.

Many utilities allow you to monitor various system events and activity. With
respect to network activity, we'll look at a few common utilities in this
exercise. This exercise focuses on Microsoft Windows, but these utilities are
commonly found on other operating systems as well.

The basic purpose of monitoring utilities is to take a snapshot of activity
so you can improve the performance or security of a system. The utilities
generally provide raw data for you to analyze. The more you can request very
specific data, the quicker you will be able to zero in on pertinent information.
Take the time to learn how to use monitoring utilities and their common
features. You will be rewarded with the information to adjust your systems to
perform the way you intend:

Launch a Windows command prompt by choosing Start, Programs, Accessories,
Command Prompt. If you are using Unix or Linux, these commands are accessible
from the command line in any shell.

Use the pingcommand to test a remote computer to see
whether it is reachable. Type ping IP address. (You can also use a
fully qualified domain name [FQDN]; for example, we used ping
http://www.foxnews.com.)
The ping command shows the amount of time it takes to reach the
target system and for the target system to respond (see Figure 3.5).

Figure
3.5 The ping command verifies the existence of and connectivity to a remote
machine on the Internet.

The ping command sends special network packetsInternet
Control Message Protocol (ICMP) echo packetsto remote computers. If the
remote computer allows and responds to ICMP packets, you should get a response
from the ping command. However, some firewalls block or drop ICMP
packets so the ping command doesn't always report back correctly.
When it doesn't provide a response from the target system, you have to use
other, more sophisticated, diagnostic tools. All ping tells you is that
the target machine responded to an ICMP echo packet.

Use the tracert command to show how many machines, or hops,
exist between your computer and the target (see Figure 3.6). This utility is
useful to diagnose performance issues by showing the path between two machines.
Type tracert IP address or tracert FQDN (for
example, we used tracert
http://www.foxnews.com).

The tracert command is similar to the ping command in
that it sends ICMP echo packets. The difference is in the use of the Time to
Live (TTL) field in the ICMP packet. A router decrements the TTL value when it
receives an ICMP packet and most routers return a "TTL expired in
transit" message when the TTL value reaches 0. The tracert command
sends out many ICMP packets, with TTL values ranging from 1 to some maximum
value. At each hop along the way, routers decrement the TTL values. The first
router in the path returns the TTL packet that started with a TTL value of 1.
The second router returns the packet whose TTL value started with 2. The sender
listens for returned ICMP packets and constructs the route all the way to the
destination.

Figure
3.6 The tracert command provides information on all routers through which
the signal passes to reach a target machine.

Use the netstatcommand to show the status of ports on
your machine. Type netstat a to show all ports that are listening
for connections (see Figure 3.7). You can also use netstat to
show which process is listening to a port. This option is nice when you are
trying to find unknown or hostile programs installed on a machine. When you know
that a port is open, you can use other utilities to determine what program
opened the port. In Windows, you need to install third-party utilities, such as
Inzider
(http://ntsecurity.nu/toolbox/inzider/)
or Foundstone's FPortNG tool
(http://www.foundstone.com/knowledge/zips/FPortNG.zip).

Figure
3.7 The netstat a command displays a list of all ports that are
listening for connections on your machine.

These are just a few of the many monitoring utilities that exist for
capturing and analyzing the status and activity of your systems. Look at your
system's administration documentation for additional utilities. In
addition, check the following sites on the Internet for suitable monitoring
utilities:

What Did I Just Learn?

Now that you have looked at device security, let's take a moment to
review all the critical items you've experienced in this lab:

A firewall is a hardware or software device that stops unwanted network
or Internet traffic from entering a computer or network. ZoneAlarm is a popular
software firewall that is easily configured for home- or small-office
computers.

Every network device has some kind of vulnerability associated with it.
We looked at ARP poisoning as it affects switches, unauthorized modems, and VPN
vulnerabilities.

The Microsoft Support Tools includes a simple Network Monitor Capture
Utility that you can use to capture and analyze traffic from the network adapter
of a Windows computer. Although Microsoft makes it easy to capture network data,
it is more important to understand how to interpret network activity.

Several TCP/IP utilities allow you to monitor system activity and
connectivity on Windows, Unix, or other computers.